From: Greg Kroah-Hartman Date: Mon, 24 Jan 2022 12:44:58 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.300~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a0580021163dd78708904152400c93e12f7782fd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: af_unix-annote-lockless-accesses-to-unix_tot_inflight-gc_in_progress.patch net-axienet-wait-for-phyrstcmplt-after-core-reset.patch net-fsl-xgmac_mdio-fix-incorrect-iounmap-when-removing-module.patch parisc-pdc_stable-fix-memory-leak-in-pdcs_register_pathentries.patch --- diff --git a/queue-4.9/af_unix-annote-lockless-accesses-to-unix_tot_inflight-gc_in_progress.patch b/queue-4.9/af_unix-annote-lockless-accesses-to-unix_tot_inflight-gc_in_progress.patch new file mode 100644 index 00000000000..2dd7022b296 --- /dev/null +++ b/queue-4.9/af_unix-annote-lockless-accesses-to-unix_tot_inflight-gc_in_progress.patch @@ -0,0 +1,128 @@ +From 9d6d7f1cb67cdee15f1a0e85aacfb924e0e02435 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 14 Jan 2022 08:43:28 -0800 +Subject: af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress + +From: Eric Dumazet + +commit 9d6d7f1cb67cdee15f1a0e85aacfb924e0e02435 upstream. + +wait_for_unix_gc() reads unix_tot_inflight & gc_in_progress +without synchronization. + +Adds READ_ONCE()/WRITE_ONCE() and their associated comments +to better document the intent. + +BUG: KCSAN: data-race in unix_inflight / wait_for_unix_gc + +write to 0xffffffff86e2b7c0 of 4 bytes by task 9380 on cpu 0: + unix_inflight+0x1e8/0x260 net/unix/scm.c:63 + unix_attach_fds+0x10c/0x1e0 net/unix/scm.c:121 + unix_scm_to_skb net/unix/af_unix.c:1674 [inline] + unix_dgram_sendmsg+0x679/0x16b0 net/unix/af_unix.c:1817 + unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg net/socket.c:724 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 + ___sys_sendmsg net/socket.c:2463 [inline] + __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 + __do_sys_sendmmsg net/socket.c:2578 [inline] + __se_sys_sendmmsg net/socket.c:2575 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffffffff86e2b7c0 of 4 bytes by task 9375 on cpu 1: + wait_for_unix_gc+0x24/0x160 net/unix/garbage.c:196 + unix_dgram_sendmsg+0x8e/0x16b0 net/unix/af_unix.c:1772 + unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg net/socket.c:724 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 + ___sys_sendmsg net/socket.c:2463 [inline] + __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 + __do_sys_sendmmsg net/socket.c:2578 [inline] + __se_sys_sendmmsg net/socket.c:2575 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000002 -> 0x00000004 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 9375 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 9915672d4127 ("af_unix: limit unix_tot_inflight") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220114164328.2038499-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/garbage.c | 14 +++++++++++--- + net/unix/scm.c | 6 ++++-- + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -197,8 +197,11 @@ void wait_for_unix_gc(void) + { + /* If number of inflight sockets is insane, + * force a garbage collect right now. ++ * Paired with the WRITE_ONCE() in unix_inflight(), ++ * unix_notinflight() and gc_in_progress(). + */ +- if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress) ++ if (READ_ONCE(unix_tot_inflight) > UNIX_INFLIGHT_TRIGGER_GC && ++ !READ_ONCE(gc_in_progress)) + unix_gc(); + wait_event(unix_gc_wait, gc_in_progress == false); + } +@@ -218,7 +221,9 @@ void unix_gc(void) + if (gc_in_progress) + goto out; + +- gc_in_progress = true; ++ /* Paired with READ_ONCE() in wait_for_unix_gc(). */ ++ WRITE_ONCE(gc_in_progress, true); ++ + /* First, select candidates for garbage collection. Only + * in-flight sockets are considered, and from those only ones + * which don't have any external reference. +@@ -304,7 +309,10 @@ void unix_gc(void) + + /* All candidates should have been detached by now. */ + BUG_ON(!list_empty(&gc_candidates)); +- gc_in_progress = false; ++ ++ /* Paired with READ_ONCE() in wait_for_unix_gc(). */ ++ WRITE_ONCE(gc_in_progress, false); ++ + wake_up(&unix_gc_wait); + + out: +--- a/net/unix/scm.c ++++ b/net/unix/scm.c +@@ -56,7 +56,8 @@ void unix_inflight(struct user_struct *u + } else { + BUG_ON(list_empty(&u->link)); + } +- unix_tot_inflight++; ++ /* Paired with READ_ONCE() in wait_for_unix_gc() */ ++ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1); + } + user->unix_inflight++; + spin_unlock(&unix_gc_lock); +@@ -76,7 +77,8 @@ void unix_notinflight(struct user_struct + + if (atomic_long_dec_and_test(&u->inflight)) + list_del_init(&u->link); +- unix_tot_inflight--; ++ /* Paired with READ_ONCE() in wait_for_unix_gc() */ ++ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1); + } + user->unix_inflight--; + spin_unlock(&unix_gc_lock); diff --git a/queue-4.9/net-axienet-wait-for-phyrstcmplt-after-core-reset.patch b/queue-4.9/net-axienet-wait-for-phyrstcmplt-after-core-reset.patch new file mode 100644 index 00000000000..566b6993cbf --- /dev/null +++ b/queue-4.9/net-axienet-wait-for-phyrstcmplt-after-core-reset.patch @@ -0,0 +1,51 @@ +From b400c2f4f4c53c86594dd57098970d97d488bfde Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Tue, 18 Jan 2022 15:41:25 -0600 +Subject: net: axienet: Wait for PhyRstCmplt after core reset + +From: Robert Hancock + +commit b400c2f4f4c53c86594dd57098970d97d488bfde upstream. + +When resetting the device, wait for the PhyRstCmplt bit to be set +in the interrupt status register before continuing initialization, to +ensure that the core is actually ready. When using an external PHY, this +also ensures we do not start trying to access the PHY while it is still +in reset. The PHY reset is initiated by the core reset which is +triggered just above, but remains asserted for 5ms after the core is +reset according to the documentation. + +The MgtRdy bit could also be waited for, but unfortunately when using +7-series devices, the bit does not appear to work as documented (it +seems to behave as some sort of link state indication and not just an +indication the transceiver is ready) so it can't really be relied on for +this purpose. + +Fixes: 8a3b7a252dca9 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") +Signed-off-by: Robert Hancock +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -278,6 +278,16 @@ static int axienet_dma_bd_init(struct ne + axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET, + cr | XAXIDMA_CR_RUNSTOP_MASK); + ++ /* Wait for PhyRstCmplt bit to be set, indicating the PHY reset has finished */ ++ ret = read_poll_timeout(axienet_ior, value, ++ value & XAE_INT_PHYRSTCMPLT_MASK, ++ DELAY_OF_ONE_MILLISEC, 50000, false, lp, ++ XAE_IS_OFFSET); ++ if (ret) { ++ dev_err(lp->dev, "%s: timeout waiting for PhyRstCmplt\n", __func__); ++ return ret; ++ } ++ + return 0; + out: + axienet_dma_bd_release(ndev); diff --git a/queue-4.9/net-fsl-xgmac_mdio-fix-incorrect-iounmap-when-removing-module.patch b/queue-4.9/net-fsl-xgmac_mdio-fix-incorrect-iounmap-when-removing-module.patch new file mode 100644 index 00000000000..29482d6a8d0 --- /dev/null +++ b/queue-4.9/net-fsl-xgmac_mdio-fix-incorrect-iounmap-when-removing-module.patch @@ -0,0 +1,36 @@ +From 3f7c239c7844d2044ed399399d97a5f1c6008e1b Mon Sep 17 00:00:00 2001 +From: Tobias Waldekranz +Date: Tue, 18 Jan 2022 22:50:53 +0100 +Subject: net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module + +From: Tobias Waldekranz + +commit 3f7c239c7844d2044ed399399d97a5f1c6008e1b upstream. + +As reported by sparse: In the remove path, the driver would attempt to +unmap its own priv pointer - instead of the io memory that it mapped +in probe. + +Fixes: 9f35a7342cff ("net/fsl: introduce Freescale 10G MDIO driver") +Signed-off-by: Tobias Waldekranz +Reviewed-by: Andrew Lunn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/xgmac_mdio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/xgmac_mdio.c ++++ b/drivers/net/ethernet/freescale/xgmac_mdio.c +@@ -301,9 +301,10 @@ err_ioremap: + static int xgmac_mdio_remove(struct platform_device *pdev) + { + struct mii_bus *bus = platform_get_drvdata(pdev); ++ struct mdio_fsl_priv *priv = bus->priv; + + mdiobus_unregister(bus); +- iounmap(bus->priv); ++ iounmap(priv->mdio_base); + mdiobus_free(bus); + + return 0; diff --git a/queue-4.9/parisc-pdc_stable-fix-memory-leak-in-pdcs_register_pathentries.patch b/queue-4.9/parisc-pdc_stable-fix-memory-leak-in-pdcs_register_pathentries.patch new file mode 100644 index 00000000000..acbdf9f722a --- /dev/null +++ b/queue-4.9/parisc-pdc_stable-fix-memory-leak-in-pdcs_register_pathentries.patch @@ -0,0 +1,42 @@ +From d24846a4246b6e61ecbd036880a4adf61681d241 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 20 Jan 2022 12:18:12 +0000 +Subject: parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miaoqian Lin + +commit d24846a4246b6e61ecbd036880a4adf61681d241 upstream. + +kobject_init_and_add() takes reference even when it fails. +According to the doc of kobject_init_and_add(): + + If this function returns an error, kobject_put() must be called to + properly clean up the memory associated with the object. + +Fix memory leak by calling kobject_put(). + +Fixes: 73f368cf679b ("Kobject: change drivers/parisc/pdc_stable.c to use kobject_init_and_add") +Signed-off-by: Miaoqian Lin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/pdc_stable.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/parisc/pdc_stable.c ++++ b/drivers/parisc/pdc_stable.c +@@ -992,8 +992,10 @@ pdcs_register_pathentries(void) + entry->kobj.kset = paths_kset; + err = kobject_init_and_add(&entry->kobj, &ktype_pdcspath, NULL, + "%s", entry->name); +- if (err) ++ if (err) { ++ kobject_put(&entry->kobj); + return err; ++ } + + /* kobject is now registered */ + write_lock(&entry->rw_lock); diff --git a/queue-4.9/series b/queue-4.9/series index 733ee1d9162..50b7172e329 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -128,3 +128,7 @@ drm-radeon-fix-error-handling-in-radeon_driver_open_kms.patch rdma-hns-modify-the-mapping-attribute-of-doorbell-to-device.patch rdma-rxe-fix-a-typo-in-opcode-name.patch powerpc-fsl-dts-enable-wa-for-erratum-a-009885-on-fman3l-mdio-buses.patch +net-fsl-xgmac_mdio-fix-incorrect-iounmap-when-removing-module.patch +parisc-pdc_stable-fix-memory-leak-in-pdcs_register_pathentries.patch +af_unix-annote-lockless-accesses-to-unix_tot_inflight-gc_in_progress.patch +net-axienet-wait-for-phyrstcmplt-after-core-reset.patch